[test] Subnet filter testing (#357)

Andrews2024 · web-flow · commit 6d72edbcecd9 · 2025-03-19T14:34:10.000-04:00
* Add options to specify vpc name and generate capl manifests with different names

* Added make targets for generating manifests and modifying clusters

* Updating script calls and started testing chainsaw test

* WIP: Updating make target and chainsaw test

* Finished chainsaw test

* Updated process for running subnet testing

* Switched tabs to spaces

* Addressed Makefile comments

* Addressed Makefile comments and added log checking to test
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -123,6 +123,9 @@ jobs:
       - name: Run Cilium BGP e2e test
         run: devbox run e2e-test-bgp
 
+      - name: Run subnet filtering test
+        run: devbox run e2e-test-subnet
+
       - name: Cleanup Resources
         if: always()
         run: devbox run cleanup-cluster
diff --git a/Makefile b/Makefile
@@ -14,16 +14,21 @@ HELM_VERSION            ?= v3.16.3
 # Dev Setup
 #####################################################################
 CLUSTER_NAME            ?= ccm-$(shell git rev-parse --short HEAD)
+SUBNET_CLUSTER_NAME     ?= subnet-testing-$(shell git rev-parse --short HEAD)
+VPC_NAME                ?= $(CLUSTER_NAME)
+MANIFEST_NAME           ?= capl-cluster-manifests
+SUBNET_MANIFEST_NAME    ?= subnet-testing-manifests
 K8S_VERSION             ?= "v1.31.2"
 CAPI_VERSION            ?= "v1.8.5"
 CAAPH_VERSION           ?= "v0.2.1"
-CAPL_VERSION            ?= "v0.7.1"
+CAPL_VERSION            ?= "v0.8.5"
 CONTROLPLANE_NODES      ?= 1
 WORKER_NODES            ?= 1
 LINODE_FIREWALL_ENABLED ?= true
 LINODE_REGION           ?= us-lax
 LINODE_OS               ?= linode/ubuntu22.04
 KUBECONFIG_PATH         ?= $(CURDIR)/test-cluster-kubeconfig.yaml
+SUBNET_KUBECONFIG_PATH	?= $(CURDIR)/subnet-testing-kubeconfig.yaml
 MGMT_KUBECONFIG_PATH    ?= $(CURDIR)/mgmt-cluster-kubeconfig.yaml
 
 # if the $DEVBOX_PACKAGES_DIR env variable exists that means we are within a devbox shell and can safely
@@ -144,14 +149,15 @@ capl-cluster: generate-capl-cluster-manifests create-capl-cluster patch-linode-c
 .PHONY: generate-capl-cluster-manifests
 generate-capl-cluster-manifests:
 	# Create the CAPL cluster manifests without any CSI driver stuff
-	LINODE_FIREWALL_ENABLED=$(LINODE_FIREWALL_ENABLED) LINODE_OS=$(LINODE_OS) clusterctl generate cluster $(CLUSTER_NAME) \
+	LINODE_FIREWALL_ENABLED=$(LINODE_FIREWALL_ENABLED) LINODE_OS=$(LINODE_OS) VPC_NAME=$(VPC_NAME) clusterctl generate cluster $(CLUSTER_NAME) \
 		--kubernetes-version $(K8S_VERSION) --infrastructure linode-linode:$(CAPL_VERSION) \
-		--control-plane-machine-count $(CONTROLPLANE_NODES) --worker-machine-count $(WORKER_NODES) > capl-cluster-manifests.yaml
+		--control-plane-machine-count $(CONTROLPLANE_NODES) --worker-machine-count $(WORKER_NODES) > $(MANIFEST_NAME).yaml
+	yq -i e 'select(.kind == "LinodeVPC").spec.subnets = [{"ipv4": "10.0.0.0/8", "label": "default"}, {"ipv4": "172.16.0.0/16", "label": "testing"}]' $(MANIFEST_NAME).yaml
 
 .PHONY: create-capl-cluster
 create-capl-cluster:
 	# Create a CAPL cluster with updated CCM and wait for it to be ready
-	kubectl apply -f capl-cluster-manifests.yaml
+	kubectl apply -f $(MANIFEST_NAME).yaml
 	kubectl wait --for=condition=ControlPlaneReady cluster/$(CLUSTER_NAME) --timeout=600s || (kubectl get cluster -o yaml; kubectl get linodecluster -o yaml; kubectl get linodemachines -o yaml)
 	kubectl wait --for=condition=NodeHealthy=true machines -l cluster.x-k8s.io/cluster-name=$(CLUSTER_NAME) --timeout=900s
 	clusterctl get kubeconfig $(CLUSTER_NAME) > $(KUBECONFIG_PATH)
@@ -207,6 +213,27 @@ e2e-test-bgp:
 		LINODE_TOKEN=$(LINODE_TOKEN) \
 		chainsaw test e2e/bgp-test/lb-cilium-bgp $(E2E_FLAGS)
 
+.PHONY: e2e-test-subnet
+e2e-test-subnet: 
+	# Generate cluster manifests for second cluster
+	SUBNET_NAME=testing CLUSTER_NAME=$(SUBNET_CLUSTER_NAME) MANIFEST_NAME=$(SUBNET_MANIFEST_NAME) VPC_NAME=$(CLUSTER_NAME) \
+		VPC_NETWORK_CIDR=172.16.0.0/16 K8S_CLUSTER_CIDR=172.16.64.0/18 make generate-capl-cluster-manifests
+	# Add subnetNames to HelmChartProxy	
+	yq e 'select(.kind == "HelmChartProxy" and .spec.chartName == "ccm-linode").spec.valuesTemplate' $(SUBNET_MANIFEST_NAME).yaml > tmp.yaml
+	yq -i e '.routeController  += {"subnetNames": "testing"}' tmp.yaml
+	yq -i e '.routeController.vpcNames = "{{.InfraCluster.spec.vpcRef.name}}"' tmp.yaml
+	yq -i e 'select(.kind == "HelmChartProxy" and .spec.chartName == "ccm-linode").spec.valuesTemplate = load_str("tmp.yaml")' $(SUBNET_MANIFEST_NAME).yaml
+	rm tmp.yaml
+	# Create the second cluster
+	MANIFEST_NAME=$(SUBNET_MANIFEST_NAME) CLUSTER_NAME=$(SUBNET_CLUSTER_NAME) KUBECONFIG_PATH=$(SUBNET_KUBECONFIG_PATH) \
+		make create-capl-cluster
+	KUBECONFIG_PATH=$(SUBNET_KUBECONFIG_PATH) make patch-linode-ccm
+	# Run chainsaw test
+	LINODE_TOKEN=$(LINODE_TOKEN) \
+		FIRST_CONFIG=$(KUBECONFIG_PATH) \
+		SECOND_CONFIG=$(SUBNET_KUBECONFIG_PATH) \
+		chainsaw test e2e/subnet-test $(E2E_FLAGS)
+
 #####################################################################
 # OS / ARCH
 #####################################################################
diff --git a/devbox.json b/devbox.json
@@ -22,6 +22,7 @@
       "mgmt-and-capl-cluster": "make mgmt-and-capl-cluster",
       "e2e-test": "make e2e-test",
       "e2e-test-bgp": "make e2e-test-bgp",
+      "e2e-test-subnet": "make e2e-test-subnet",
       "cleanup-cluster": "make cleanup-cluster"
     }
   },
diff --git a/e2e/subnet-test/chainsaw-test.yaml b/e2e/subnet-test/chainsaw-test.yaml
@@ -0,0 +1,78 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json
+apiVersion: chainsaw.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  name: subnet-filtering-test
+  labels:
+    all:
+spec:
+  bindings:
+    - name: fwname
+      value: (join('-', ['ccm-fwtest', env('CLUSTER_NAME')]))
+  namespace: "subnet-filtering-test"
+  steps:
+    - name: Check if the CCM for each cluster focus on their individual subnets
+      try:
+        - script:
+            content: |
+              set -e
+
+              if [ -z "$FIRST_CONFIG" ] || [ -z "$SECOND_CONFIG" ] || [ -z "$LINODE_TOKEN" ]; then
+                  echo "Error: FIRST_CONFIG, SECOND_CONFIG, and LINODE_TOKEN environment variables must be set"
+                  exit 1
+              fi
+
+              # Iterate through both clusters
+              for config in "$FIRST_CONFIG" "$SECOND_CONFIG"; do
+                # Get all node names
+                nodes=$(KUBECONFIG=$config kubectl get nodes -o jsonpath='{.items[*].metadata.name}')
+                if [ -z "$nodes" ]; then
+                    echo "Error: No nodes found in cluster"
+                    exit 1
+                fi
+
+                # Process each node
+                for node in $nodes; do
+                    echo "Checking node: $node"
+                    
+                    # Get pod CIDR and instance ID
+                    pod_cidr=$(KUBECONFIG=$config kubectl get node "$node" -o jsonpath='{.spec.podCIDR}')
+                    instance_id=$(KUBECONFIG=$config kubectl get node "$node" -o jsonpath='{.spec.providerID}' | sed 's/linode:\/\///')
+                    
+                    echo "  Pod CIDR: $pod_cidr"
+                    echo "  Instance ID: $instance_id"
+                    
+                    # Get interface details for this config
+                    interfaces=$(curl -s \
+                        -H "Authorization: Bearer $LINODE_TOKEN" \
+                        "https://api.linode.com/v4/linode/instances/$instance_id/configs" \
+                        | jq -r '.data[0].interfaces')
+                    
+                    # Check if pod CIDR is in the VPC interface IP ranges
+                    if echo "$interfaces" | jq -e --arg cidr "$pod_cidr" '.[] | select(.purpose == "vpc") | .ip_ranges[] | select(. == $cidr)' > /dev/null; then
+                        echo "Pod CIDR found in VPC interface configuration"
+                    else
+                        echo "Pod CIDR not found in VPC interface configuration"
+                        echo "Current VPC interface configuration:"
+                        echo "$interfaces" | jq '.[] | select(.purpose == "vpc")'
+                    fi
+                    
+                    echo "---"
+                done
+              done
+
+              # Grep logs of each cluster for IPs from the other cluster
+              echo "Checking logs of each CCM"
+              if ! [ $(KUBECONFIG=$FIRST_CONFIG kubectl logs daemonset/ccm-linode -n kube-system | grep "172.16" | wc -l) -eq 0 ]; then
+                echo "IP address from testing subnet found in logs of test cluster"
+                exit 1
+              fi
+
+              if ! [ $(KUBECONFIG=$SECOND_CONFIG kubectl logs daemonset/ccm-linode -n kube-system | grep "10.192" | wc -l) -eq 0 ]; then
+                echo "IP address from default subnet found in logs of second cluster"
+                exit 1
+              fi
+
+            check:
+              ($error == null): true
+              (contains($stdout, 'Pod CIDR not found in VPC interface configuration')): false

Original file line number	Diff line number	Diff line change
`@@ -22,6 +22,7 @@`
`22`	`22`	`"mgmt-and-capl-cluster": "make mgmt-and-capl-cluster",`
`23`	`23`	`"e2e-test": "make e2e-test",`
`24`	`24`	`"e2e-test-bgp": "make e2e-test-bgp",`
	`25`	`+ "e2e-test-subnet": "make e2e-test-subnet",`
`25`	`26`	`"cleanup-cluster": "make cleanup-cluster"`
`26`	`27`	`}`
`27`	`28`	`},`